- Nix 97.9%
- Python 2.1%
June
e0b593289d
Enable the relevant config option and move to new network with an explicit IPv6, because otherwise there's no default v6 route and v6 in the Docker containers doesn't work. |
||
|---|---|---|
| config | ||
| modules/services/audio | ||
| patches | ||
| .editorconfig | ||
| .gitignore | ||
| .sops.yaml | ||
| deployment_configuration.json | ||
| flake.lock | ||
| flake.nix | ||
| LICENSE | ||
| README.md | ||
nix-infra
nix infrastructure configuration for CCCHH.
For deployment we're using infra-rebuild.
To easily get a shell with infra-rebuild going, use the following command:
nix shell git+https://git.hamburg.ccc.de/CCCHH/infra-rebuild#infra-rebuild
After that you can simply run the following to deploy e.g. the git and matrix hosts:
infra-rebuild switch git matrix
By default infra-rebuild tries to use the FQDN from the nixosConfiguration of the host for deployment.
However to override individual parts of the deployment target, a deployment_configuration.json can be used.
This is exactly what we're doing to set the default deployment user to colmena-deploy and have custom target hostnames for Chaosknoten hosts, since they don't have an FQDN defined in their nixosConfiguration.
Setting up secrets with sops-nix for a host
- Convert the hosts SSH host public key to an age public key.
This can be done by connecting to the host and running:
cat /etc/ssh/ssh_host_ed25519_key.pub | ssh-to-age - Add the resulting age public key to the
.sops.yamlas a YAML anchor in keys. It should be named something like:host_age_hostname - Add a new creation rule for the hosts config directory.
It should probably have all admin keys and the hosts age key.
You can use existing creation rules as a reference. - Create a file containing the relevant secrets in the hosts config directory.
This can be accomplished with a command similar to this:
Note: Nested keys don't seem to be compatible with sops-nix.sops config/hosts/hostname/secrets.yaml - Add the following entry to the modules of the hosts
nixosConfiguration:sops-nix.nixosModules.sops - Create a
sops.nixin the hosts config directory containing the following content to include thesecrets.yaml:{ ... }: { sops = { defaultSopsFile = ./secrets.yaml; }; } - Make sure the
sops.nixgets imported. For example in thedefault.nix. - To use a secret stored under e.g.
forgejo_git_smtp_password, you can then do something like the following:
This secret would then be available undersops.secrets."forgejo_git_smtp_password" = { mode = "0440"; owner = "forgejo"; group = "forgejo"; restartUnits = [ "forgejo.service" ]; };/run/secrets/forgejo_git_smtp_passwordon the host.
Build NixOS Proxmox VE Template
Build a new NixOS Proxmox VE Template for the thinkcccore's:
nix build .#proxmox-nixos-template
Build a new NixOS Proxmox VE Template for the chaosknoten:
nix build .#proxmox-chaosknoten-nixos-template
License
This CCCHH nix-infra repository is licensed under the MIT License.
librespot_PR1528_conflicts_resolved.patch is a modified version of librespot PR 1528 and is licensed under the MIT license.